2.0.4 AJ
2010_06_12 Definitions to make reading of ASM code easier (some question marks!) 2010_06_17 AI : I might help ... Thanks Indy!! ADKIZDET '= analog digital ? detector' adp = (wft) adapter AE = auto exposure AF = auto focus Angel''' routines are subroutines that help develop and debug Applications running on ARM-based hardware.' '''ALV = Audio LeVel' Assert = Output a diagnostic message BmpDDev = bitmap display device CAP = image CAPture CAPLV = C'''apture '''LV ceres = debug hardware connected to camera? CFS = card file system? CPY = copy CTG = catalog CRP = crypto dcf = digital camera file DCS = ? DDD = Dust Delete Data DEC = jpeg decoding DEFC = (image sensor) defect correction ? DEFD = '''(image sensor) '''defect detection ? DL''' =''' Dlg = (user) dialog DP_ = develop DPS = direct print system DPATH = Data Path. AI Develop ? DM = DebugManager EDID = HDMI related AJ 4:2:0 etc ENG = Engine = digic ENGIO = DIGIC ENG input/output EM = eventManager EV = event FA = ? FC = file catalog ? FCS = file create system? fcache = file cache FD = face detection FEN = fencing FG = ? FM = File Manager FIO = File Input Output FR = file reader? FW = file writer? GUI = Graphical User Interface GYO = ? HST = histogram H264E = h264 encode H264dec = h264 decoe IMPD = image play driver jpcore = jpeg core JPCORE = hardware assisted codec? k241 = WFT-E2 (see related update .fir file) LOT = LotusPath LV = Live View LVCAF = LV contrast AF LVCAE = LV contrast AE MDET = Motion Detection MOVR = movie reader MVP = movie player MVR = movie recorder OIO '''= Twin engine in one path related '''PB = Play Back PBROT = process? bitmap rotation PD = ptp dps (develop with eos utility?) PM = Power Manager PROP = property RMT = remote RSZ = resize (with digic?) RTC = real time clock RTOM = remote? transfer object? manager SDCOMM = SD card communication SDIO = SD input/output SHTLV = shutter LV SUB = black subtraction ? SVG = scalable vector graphics TOE = TCPIP Offload Engine? TOM = AI tranfer object? manager AJ will check. Definitely something ot do with transfer TTJ = TwoInTwoOutJpegPath TWIN = dual digic operation / transfer ? Semaphore's enable tracking of a shared resource through changes in state of use of counters. WB = white balance Wps = ? Wft = wireless file transfer ? 2010_06_09 Hi-mem data lists 0xFFC4F7D8 - 0xFFC72C73 Lens data 13140 x 11 bytes of data 2010_06_01: strcmp() function located at 0xFF87CBE8 ROM:FF87CBE8 ; +-------------------+ ROM:FF87CBE8 ; | AJ_strcmp.R0.n.R1 | ROM:FF87CBE8 ; +-------------------+ ROM:FF87CBE8 ; ROM:FF87CBE8 ; int r0 = parm1 = Null term string1 ROM:FF87CBE8 ; int r1 = parm2 = Null term string2 ROM:FF87CBE8 ; ROM:FF87CBE8 ; int RETURN_R0 = 0 = Strings same up until either is Null_byte ROM:FF87CBE8 ; != 0 = Point at diff parm2+N - parm1+N ROM:FF87CBE8 ROM:FF87CBE8 AJ_strcmp.R0.n.R1 ---- 2010_05_29: Hotplug structures at 0x1AA4 , 0xC0220000 , and 0xC0230000 seg001:00001AA4 aAJ_0x1AA4_hotplug_struct_0x00_to_0x44_initialized % 4 seg001:00001AA8 aAJ_0x1AA4_hotplug_struct_0x04 % 4 seg001:00001AAC aAJ_0x1AA4_hotplug_struct_0x08_video_prop_deliver % 4 ; AJ: Ref:TH_hotplug_task() seg001:00001AAC ; Passed into TH_prop_deliver() for VIDEO seg001:00001AB0 aAJ_0x1AA4_hotplug_struct_0x0C_USB_prop_deliver % 4 ; AJ: Ref:TH_hotplug_task() seg001:00001AB0 ; Passed into TH_prop_deliver() for USB seg001:00001AB4 aAJ_0x1AA4_hotplug_struct_0x10_TOE_prop_deliver % 4 ; AJ: Ref:TH_hotplug_task() (TCPIP Offload Engine?) seg001:00001AB4 ; Passed into TH_prop_deliver() for TOE seg001:00001AB4 ; Also used in AJ_TOERequestChangeCBR() seg001:00001AB8 aAJ_0x1AA4_hotplug_struct_0x14_HDMI_prop_deliver % 4 ; AJ: Ref:TH_hotplug_task() seg001:00001AB8 ; Passed into TH_prop_deliver() for HDMI seg001:00001ABC aAJ_0x1AA4_hotplug_struct_0x18_sub_address % 4 ; AJ: Initialized in AJ_initialize_0x1AA4_hotplug_struct() seg001:00001ABC ; Sub routine address is stored, then it is called. seg001:00001AC0 aAJ_0x1AA4_hotplug_struct_0x1C % 4 seg001:00001AC4 aAJ_0x1AA4_hotplug_struct_0x20_interrupt_sw % 4 ; Ref: AJ_interrupt_func_sw() seg001:00001AC4 ; values set to 1 seg001:00001AC8 aAJ_0x1AA4_hotplug_struct_0x24_hotplug_video_state % 4 ; AJ: = 0 : Is Disconnected seg001:00001AC8 ; = 1 : Is Connected seg001:00001ACC aAJ_0x1AA4_hotplug_struct_0x28_dunno % 4 ; AJ: LDR in AJ_initialize_0x1AA4_hotplug_struct() seg001:00001ACC ; AJAJ: Dont know what this is yet seg001:00001AD0 aAJ_0x1AA4_hotplug_struct_0x2C_dunno % 4 seg001:00001AD4 aAJ_0x1AA4_hotplug_struct_0x30_hotplug_prev_video_state % 4 seg001:00001AD4 ; AJ: = 0 : Was Disconnected seg001:00001AD4 ; = 1 : Was Connected seg001:00001AD8 aAJ_0x1AA4_hotplug_struct_0x34_hotplug_usb_state % 4 ; AJ: USB Hotplug status seg001:00001AD8 ; Ref TH_hotplug_task() . bit 2^0 is tested seg001:00001AD8 ; 2^0 = 0 = Disconnected seg001:00001AD8 ; 2^1 = 1 = Connected seg001:00001ADC aAJ_0x1AA4_hotplug_struct_0x38_hotplug_TOE_state % 4 ; AJ: TOE (TCPIP Offload Engine?) Hotplug status seg001:00001ADC ; Ref TH_hotplug_task() . bit 2^0 is tested seg001:00001ADC ; 2^0 = 0 = Disconnected seg001:00001ADC ; 2^1 = 1 = Connected seg001:00001AE0 aAJ_0x1AA4_hotplug_struct_0x3C_hotplug_HDMI_state % 4 ; AJ: HDMI Hotplug status seg001:00001AE0 ; Ref TH_hotplug_task() . bit 2^0 is tested seg001:00001AE0 ; 2^0 = 0 = Disconnected seg001:00001AE0 ; 2^1 = 1 = Connected seg001:00001AE4 aAJ_0x1AA4_hotplug_struct_0x40_dunno % 4 ; AJ: Initialized in AJ_initialize_0x1AA4_hotplug_struct() seg001:00001AE4 ; AJAJ: Dont know what this is yet seg001:00001AE8 aAJ_0x1AA4_hotplug_struct_0x44_KernelDry_KerFlag % 4 ; AJ: * NOT SURE WHAT THIS IS YET * need to check the following routines - DIGIC:C0220000 aAJ_0xC0220000_HDMI_maybe_hotplug_struct1_0x00_to_0x70 % 4 ; AJ: Ref: TH_hotplug_task() DIGIC:C0220004 aAJ_0xC0220000_HDMI_struct1_0x04 % 4 DIGIC:C0220008 aAJ_0xC0220000_HDMI_struct1_0x08 % 4 DIGIC:C022000C aAJ_0xC0220000_HDMI_struct1_0x0C % 4 DIGIC:C0220010 aAJ_0xC0220000_HDMI_struct1_0x10 % 4 DIGIC:C0220014 aAJ_0xC0220000_HDMI_struct1_0x14 % 4 DIGIC:C0220018 aAJ_0xC0220000_HDMI_struct1_0x18 % 4 DIGIC:C022001C aAJ_0xC0220000_HDMI_struct1_0x1C % 4 DIGIC:C0220020 aAJ_0xC0220000_HDMI_struct1_0x20 % 4 DIGIC:C0220024 aAJ_0xC0220000_HDMI_struct1_0x24 % 4 DIGIC:C0220028 aAJ_0xC0220000_HDMI_struct1_0x28 % 4 DIGIC:C022002C aAJ_0xC0220000_HDMI_struct1_0x2C % 4 DIGIC:C0220030 aAJ_0xC0220000_HDMI_struct1_0x30 % 4 DIGIC:C0220034 aAJ_0xC0220000_HDMI_struct1_0x34_hotplug_usb_buf % 4 ; AJ: USB Hotplug status DIGIC:C0220034 ; Ref TH_hotplug_task() . bit 2^0 is tested DIGIC:C0220034 ; 2^0 = 0 = Disconnected DIGIC:C0220034 ; 2^1 = 1 = Connected DIGIC:C0220038 aAJ_0xC0220000_HDMI_struct1_0x38 % 4 DIGIC:C022003C aAJ_0xC0220000_HDMI_struct1_0x3C_hotplug_hdmi_state % 4 ; AJ: HDMI Hotplug status DIGIC:C022003C ; Ref TH_hotplug_task() . bit 2^0 is tested DIGIC:C022003C ; 2^0 = 0 = Disconnected DIGIC:C022003C ; 2^1 = 1 = Connected DIGIC:C0220040 aAJ_0xC0220000_HDMI_struct1_0x40 % 4 DIGIC:C0220044 aAJ_0xC0220000_HDMI_struct1_0x44 % 4 ; AJ: TOE Hotplug status DIGIC:C0220044 ; Ref TH_hotplug_task() . bit 2^0 is tested DIGIC:C0220044 ; 2^0 = 0 = Disconnected DIGIC:C0220044 ; 2^1 = 1 = Connected DIGIC:C0220044 ; Ref AJ_TOEDetectISR() DIGIC:C0220048 aAJ_0xC0220000_HDMI_struct1_0x48 % 4 DIGIC:C022004C aAJ_0xC0220000_HDMI_struct1_0x4C % 4 DIGIC:C0220050 aAJ_0xC0220000_HDMI_struct1_0x50 % 4 DIGIC:C0220054 aAJ_0xC0220000_HDMI_struct1_0x54 % 4 DIGIC:C0220058 aAJ_0xC0220000_HDMI_struct1_0x58 % 4 DIGIC:C022005C aAJ_0xC0220000_HDMI_struct1_0x5C % 4 DIGIC:C0220060 aAJ_0xC0220000_HDMI_struct1_0x60 % 4 DIGIC:C0220064 aAJ_0xC0220000_HDMI_struct1_0x64 % 4 DIGIC:C0220068 aAJ_0xC0220000_HDMI_struct1_0x68 % 4 DIGIC:C022006C aAJ_0xC0220000_HDMI_struct1_0x6C % 4 DIGIC:C0220070 aAJ_0xC0220000_HDMI_struct1_0x70_hotplug_video_state % 4 ; AJ: Video Hot plug status DIGIC:C0220070 ; Ref TH_hotplug_task() . bit 2^0 is tested DIGIC:C0220070 ; 2^0 = 0 = Disconnected DIGIC:C0220070 ; 2^1 = 1 = Connected ---- - DIGIC:C0203000 aAJ_0xC0230000_HDMI_struct2_0x00_to_0x4C % 4 ; AJ: Compare following structs: DIGIC:C0203004 aAJ_0xC0230000_HDMI_struct2_0x04 % 4 DIGIC:C0203008 aAJ_0xC0230000_HDMI_struct2_0x08 % 4 DIGIC:C020300C aAJ_0xC0230000_HDMI_struct2_0x0C % 4 DIGIC:C0203010 aAJ_0xC0230000_HDMI_struct2_0x10 % 4 DIGIC:C0203014 aAJ_0xC0230000_HDMI_struct2_0x14 % 4 DIGIC:C0203018 aAJ_0xC0230000_HDMI_struct2_0x18 % 4 DIGIC:C020301C aAJ_0xC0230000_HDMI_struct2_0x1C_USB_related % 4 ; AJ: Ref: AJ_USBDetectISR() DIGIC:C020301C ; if USB = 0 (Disconnected), Set to 0x18 DIGIC:C020301C ; if USB = 1 (Connected) Set to 0x1C DIGIC:C0203020 aAJ_0xC0230000_HDMI_struct2_0x20_Video_releated % 4 ; AJ: Ref: AJ_VideoDetectISR() DIGIC:C0203020 ; if VIDEO = 0 (Disconnected), Set to 0x18 DIGIC:C0203020 ; if VIDEO = 1 (Connected) Set to 0x1C DIGIC:C0203024 aAJ_0xC0230000_HDMI_struct2_0x24 % 4 DIGIC:C0203028 aAJ_0xC0230000_HDMI_struct2_0x28 % 4 DIGIC:C020302C aAJ_0xC0230000_HDMI_struct2_0x2C % 4 DIGIC:C0203030 aAJ_0xC0230000_HDMI_struct2_0x30 % 4 DIGIC:C0203034 aAJ_0xC0230000_HDMI_struct2_0x34 % 4 DIGIC:C0203038 aAJ_0xC0230000_HDMI_struct2_0x38 % 4 DIGIC:C020303C aAJ_0xC0230000_HDMI_struct2_0x3C % 4 DIGIC:C0203040 aAJ_0xC0230000_HDMI_struct2_0x40 % 4 DIGIC:C0203044 aAJ_0xC0230000_HDMI_struct2_0x44 % 4 ; AJ: Ref: AJ_HDMIDetectISR() DIGIC:C0203044 ; if HDMI = 0 (Disconnected), Set to 0x18 DIGIC:C0203044 ; if HDMI = 1 (Connected) Set to 0x1C DIGIC:C0203048 aAJ_0xC0230000_HDMI_struct2_0x48_TOE_related % 4 ; AJ: Ref: AJ_TOEDetectISR() DIGIC:C0203048 ; if TOE = 0 (Disconnected), Set to 0x18 DIGIC:C0203048 ; if TOE = 1 (Connected) Set to 0x1C DIGIC:C020304C aAJ_0xC0230000_HDMI_struct2_0x4C % 4 2010_05_26 list of 16 routines for 'engio_write' to set zoom level to x1, x5 and x10 retrospectively starting at ROM:0xFFC7A304 IntermediatePass_x1 AJ_STR_to_HDMI_SetImagePass_struct_0x13E8C_0x04_x1, AJ_calls_SetImagePass_x1, AJ_StartImagePass_x1, AJ_0xFFA081D4_seems_to_be_x1_related, AJ_calls_Guess_x1_related, AJ_Guess_Set_n_Start_x1_related, AJ_ImagePass_related_x1, AJ_calls_eng_set_dummy_cbr, AJ_SetHivshdIrParameter_x1, AJ_0x13F78_engine_struct_x1x5x10, AJ_SetIntermediatePass_x1, AJ_StarIntermediatePass_x1, AJ_0x13F78_n_callback_engine_struct_x1x5x10, AJ_0x13F78_LockEngineResources_x1x5x10, AJ_0x13F78_n_0xC0F1E000_x1x5x10, 0 IntermediatePass_x5 AJ_SetImagePassParameter_x5, AJ_SetImagePass_x5, AJ_StartImagePass_x5, AJ_0x13EC0_struct_engio_x5, AJ_ClearImagePass_x5, AJ_0x13EC0_n_0xC0F08000_struct_engio_x5, AJ_Guess_Set_n_clear_ImagePass_x5_related, AJ_eng_set_dummy_cbr_x5, AJ_null_sub_x5, AJ_0x13F78_engine_struct_x1x5x10, AJ_SetIntermediatePassMagnify_x5x10, AJ_StartIntermediatePassMagnify_x5x10, AJ_0x13F78_n_callback_engine_struct_x1x5x10, AJ_0x13F78_LockEngineResources_x1x5x10, AJ_0x13F78_n_0xC0F1E000_x1x5x10, 0 IntermediatePass_x10 AJ_STR_0x13F0C_0x04_SetImagePass_x10_struct, AJ_SetImagePass_x10, AJ_StartImagePass_x10, AJ_Start_n_SetImagePass_x10, AJ_dummy_cbr_engio_x10, AJ_0xC0F11000_n_0xC0F08000_engio_x10, AJ_Guess_Start_n_Set_ImagePass_x10_related, AJ_eng_set_dummy_cbr_x10, AJ_null_sub_x10, AJ_0x13F78_engine_struct_x1x5x10, AJ_SetIntermediatePassMagnify_x5x10, AJ_StartIntermediatePassMagnify_x5x10, AJ_0x13F78_n_callback_engine_struct_x1x5x10, AJ_0x13F78_LockEngineResources_x1x5x10, AJ_0x13F78_n_0xC0F1E000_x1x5x10, 0 Rather than filling up everyone's email inbox with unintelligible mush - it's been suggested that I add a 'wiki' for my 5d Mk II analysis. History *Join ML team 2010_03_08 *Ask canon for uncompressed HDMI output option rather than than save to CF 2010_03_07 Canon reponded with 'No Future Plans' 2010_03_20 *Got 2.0.4 ROM dumps from 5D mk II 2010_03_20 *Imported ROMs into IDA (industry leading disassembler by HexRays) 2010_03_20 *Found a memcpy routine in ASM (ARM assembler) that TH (Trammell) had already found. 2010_03_27 Reason: I'm a newbie! And my IDA setup still has Data and Code wrongly setup. *TH shares his 'idc' file that can be used to apply his IDA settings to your ROM dump. 2010_04_17 http://groups.google.co.uk/group/ml-devel/browse_thread/thread/5972db41f16b8a62?hl=en ''' '''by commented out the detructive lines of an IDC file - you can run THs first, then yours (or visaversa) - ie and not throw away any analyis you've already done. *Read through all of ML_Deve emails. http://groups.google.co.uk/group/ml-devel?hl=en 2010_04_19 *Checked all memory in IDA between FF800000->FFC40000 and FFFE0000->FFFFFFFF by hand looking for undefined data with 4th bytes like E1,E3,E5,E9, and forcing IDA to 'C'onvert into code. 2010_05_05 *AI (Arm.Indy) recommends http://www.idabook.com/ as an excellent book to further IDA expertise. 2010_05_08 *AJ (that me) send out garish Excel looking at 'engio' (Digic engine) routines called to setup the Digic. Lots of numbers and not meaning! 2010_05_11 *List of 48 engio routines, is actually groups 16 consecutive routines called for x1, x5, or x10 zooming respectively. 2010_05_26 *Named all subs passed to 'TH_register_func()' *hotplug_struct reviewed 2010_05_29 *strcmp() function located at 0xFF87CBE8 2010_06_01 *Pel thinks hes found a Mod Div function called all over the place. 0xFFC47924 PEL_DivideR0byR1() 2010_06_05 Return_R0=R0/R1 (R0 div R1), Return_R1=remainder (R0 mod R1). *Working through the subroutine lists (and probably PTP lists) around 0xFFC7NNNN. Converting the random data into DCD 'non array lists' so that IDA displays them as Subroutines / known offsets. know that Canon have released 2.0.7 - but I intend to keep eating away at 2.0.4! *Added a box for definitions known and unknown 2010_06_12 *Currently working through every called to AJ_engio_write(), trying to document every single engio_write_struct, which routines use them, and how the dynamic ones are populated. -> 4% complete <- 2010_06_15 *PC crashing every 2hrs -> every hour -> finnnally given up on it. IDA now up and running: Parallels 5 + XP Sp3 running on Octocore SL. Parallels is only £50! Amazing. 2010_06_19